summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:22:41 +0100
committerColin Watson <cjwatson@debian.org>2016-12-28 20:05:04 +0000
commit10d7583287f2d589da0786819e62a0be5ec9847f (patch)
tree417ba0a3a1b0b1516c2715f4213293da02450ce5
parent40ab38b3f501f3e21662f0294eef06789605c5f8 (diff)
Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
-rw-r--r--configure.ac57
-rw-r--r--sshd.87
-rw-r--r--sshd.c25
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 5fdc696c8..4747ce4a5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
1491 ] 1491 ]
1492) 1492)
1493 1493
1494# Check whether user wants TCP wrappers support
1495TCPW_MSG="no"
1496AC_ARG_WITH([tcp-wrappers],
1497 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1498 [
1499 if test "x$withval" != "xno" ; then
1500 saved_LIBS="$LIBS"
1501 saved_LDFLAGS="$LDFLAGS"
1502 saved_CPPFLAGS="$CPPFLAGS"
1503 if test -n "${withval}" && \
1504 test "x${withval}" != "xyes"; then
1505 if test -d "${withval}/lib"; then
1506 if test -n "${need_dash_r}"; then
1507 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1508 else
1509 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1510 fi
1511 else
1512 if test -n "${need_dash_r}"; then
1513 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1514 else
1515 LDFLAGS="-L${withval} ${LDFLAGS}"
1516 fi
1517 fi
1518 if test -d "${withval}/include"; then
1519 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1520 else
1521 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1522 fi
1523 fi
1524 LIBS="-lwrap $LIBS"
1525 AC_MSG_CHECKING([for libwrap])
1526 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1527#include <sys/types.h>
1528#include <sys/socket.h>
1529#include <netinet/in.h>
1530#include <tcpd.h>
1531int deny_severity = 0, allow_severity = 0;
1532 ]], [[
1533 hosts_access(0);
1534 ]])], [
1535 AC_MSG_RESULT([yes])
1536 AC_DEFINE([LIBWRAP], [1],
1537 [Define if you want
1538 TCP Wrappers support])
1539 SSHDLIBS="$SSHDLIBS -lwrap"
1540 TCPW_MSG="yes"
1541 ], [
1542 AC_MSG_ERROR([*** libwrap missing])
1543
1544 ])
1545 LIBS="$saved_LIBS"
1546 fi
1547 ]
1548)
1549
1494# Check whether user wants to use ldns 1550# Check whether user wants to use ldns
1495LDNS_MSG="no" 1551LDNS_MSG="no"
1496AC_ARG_WITH(ldns, 1552AC_ARG_WITH(ldns,
@@ -5105,6 +5161,7 @@ echo " KerberosV support: $KRB5_MSG"
5105echo " SELinux support: $SELINUX_MSG" 5161echo " SELinux support: $SELINUX_MSG"
5106echo " Smartcard support: $SCARD_MSG" 5162echo " Smartcard support: $SCARD_MSG"
5107echo " S/KEY support: $SKEY_MSG" 5163echo " S/KEY support: $SKEY_MSG"
5164echo " TCP Wrappers support: $TCPW_MSG"
5108echo " MD5 password support: $MD5_MSG" 5165echo " MD5 password support: $MD5_MSG"
5109echo " libedit support: $LIBEDIT_MSG" 5166echo " libedit support: $LIBEDIT_MSG"
5110echo " Solaris process contract support: $SPC_MSG" 5167echo " Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 41fc5051a..c67846025 100644
--- a/sshd.8
+++ b/sshd.8
@@ -825,6 +825,12 @@ the user's home directory becomes accessible.
825This file should be writable only by the user, and need not be 825This file should be writable only by the user, and need not be
826readable by anyone else. 826readable by anyone else.
827.Pp 827.Pp
828.It Pa /etc/hosts.allow
829.It Pa /etc/hosts.deny
830Access controls that should be enforced by tcp-wrappers are defined here.
831Further details are described in
832.Xr hosts_access 5 .
833.Pp
828.It Pa /etc/hosts.equiv 834.It Pa /etc/hosts.equiv
829This file is for host-based authentication (see 835This file is for host-based authentication (see
830.Xr ssh 1 ) . 836.Xr ssh 1 ) .
@@ -929,6 +935,7 @@ The content of this file is not sensitive; it can be world-readable.
929.Xr ssh-keygen 1 , 935.Xr ssh-keygen 1 ,
930.Xr ssh-keyscan 1 , 936.Xr ssh-keyscan 1 ,
931.Xr chroot 2 , 937.Xr chroot 2 ,
938.Xr hosts_access 5 ,
932.Xr login.conf 5 , 939.Xr login.conf 5 ,
933.Xr moduli 5 , 940.Xr moduli 5 ,
934.Xr sshd_config 5 , 941.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index 0970f2970..72d85de1c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
127#include <Security/AuthSession.h> 127#include <Security/AuthSession.h>
128#endif 128#endif
129 129
130#ifdef LIBWRAP
131#include <tcpd.h>
132#include <syslog.h>
133int allow_severity;
134int deny_severity;
135#endif /* LIBWRAP */
136
130/* Re-exec fds */ 137/* Re-exec fds */
131#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 138#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
132#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 139#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1978,6 +1985,24 @@ main(int ac, char **av)
1978#ifdef SSH_AUDIT_EVENTS 1985#ifdef SSH_AUDIT_EVENTS
1979 audit_connection_from(remote_ip, remote_port); 1986 audit_connection_from(remote_ip, remote_port);
1980#endif 1987#endif
1988#ifdef LIBWRAP
1989 allow_severity = options.log_facility|LOG_INFO;
1990 deny_severity = options.log_facility|LOG_WARNING;
1991 /* Check whether logins are denied from this host. */
1992 if (packet_connection_is_on_socket()) {
1993 struct request_info req;
1994
1995 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
1996 fromhost(&req);
1997
1998 if (!hosts_access(&req)) {
1999 debug("Connection refused by tcp wrapper");
2000 refuse(&req);
2001 /* NOTREACHED */
2002 fatal("libwrap refuse returns");
2003 }
2004 }
2005#endif /* LIBWRAP */
1981 2006
1982 /* Log the connection. */ 2007 /* Log the connection. */
1983 laddr = get_local_ipaddr(sock_in); 2008 laddr = get_local_ipaddr(sock_in);